Want to subscribe to topics you're interested in?
Become a Member

Nginx Official Nginx HTTP/3 QUIC Tech Preview announced

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 11, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nice, there's more progress :D Seems to work in private tests built with GCC 12 for Centmin Mod Nginx + quicTLS (openssl 1.1.1t forked with QUIC support) for Nginx HTTP/3 on Almalinux 8 VPS :)

    But yeah Nginx official with quicTLS HTTP/3 is still buggy.

     
  2. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    11:45 PM
    Nice catch.

    it seems like they don't find the code very stable either.
    Almost 2 years ago, the plan was to intergrate HTTP/3 into the NGINX mainline branch.
    This still hasn't happened.

    Since F5 took over Nginx, the priority is clearly on Plus.

    Do not use Nginx Quic in production is my advice.

     
  3. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah though I think it's also being cautious. What makes developing Centmin Mod with Nginx great is that Nginx in most cases just works as intended and fairly bug free. Nginx HTTP/3 is alot more tricky due to testing all cases and also the dependencies for QUIC not being native to all Linux operating systems. Nginx has a lot of users that require stability so being cautious is needed.

    Just look at Google AI Bard demo with incorrect answer resulted in their share price loosing $100 billion in value IIRC!

    Same thing with Centmin Mod and why I need a stable and beta branch. Early days I could deploy changes with less testing and fix later as only hand a small number of users and sites using Centmin Mod. Nowadays there is between 30000 to 100000 sites using Centmin Mod what advertise they do via HTTP headers which excludes those sites that hide those HTTP headers. So more testing to ensure stability is needed before changes are made. In this case how fast and much feedback and bug reporting is made by Centmin Mod users will determine the pace of development and stability of Centmin Mod given I only have so many free hours.
     
  4. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    5:45 AM
    Mainline
    10.2
    I've been using that official nginx-quic ppa on Ubuntu 22.04 for 22+ hours now on a video-heavy XF2 website (not using Cloudflare) and it works great without any issue so far.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Keep us updated :) The best part of this news is that Nginx are confident enough to release the beta Nginx QUIC/HTTP3 binaries for public testing now as opposed to in the past. But remember it is still beta testing :)

    Curious for that nginx-quic binary what is output for
    Code (Text):
    nginx -V
    

    wrap in QUOTE tags and for
    Code (Text):
    ldd $(which nginx)
    

    wrap in CODE or CODEB tags
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    5:45 AM
    Mainline
    10.2
    Code (Text):
            linux-vdso.so.1 (0x00007ffda79a5000)
            libssl.so.81.3 => /lib/x86_64-linux-gnu/libssl.so.81.3 (0x00007fe3f179f000)
            libcrypto.so.81.3 => /lib/x86_64-linux-gnu/libcrypto.so.81.3 (0x00007fe3f1355000)
            libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fe3f131b000)
            libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fe3f1284000)
            libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe3f1268000)
            libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe3f1040000)
            /lib64/ld-linux-x86-64.so.2 (0x00007fe3f1a9d000)
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting to see how Ubuntu Nginx QUIC binary was built. This is how Centmin Mod 130.00beta01 is on AlmaLinux 8 with optional support for either quicTLS OpenSSL 1.1.1 fork or quicTLS OpenSSL 3.0.x fork crypto libraries installed at /opt/openssl-quic/lib as well as optional PCRE or PCRE2 support. Looks like Nginx QUIC uses quicTLS OpenSSL 3.0 fork with libraries at /usr/lib/x86_64-linux-gnu/quictls and installed at /lib/x86_64-linux-gnu/.

    Code (Text):
    ldd $(which nginx)
            linux-vdso.so.1 (0x00007ffc231e7000)
            libssl.so.81.1.1 => /opt/openssl-quic/lib/libssl.so.81.1.1 (0x00007f68ceafb000)
            libcrypto.so.81.1.1 => /opt/openssl-quic/lib/libcrypto.so.81.1.1 (0x00007f68ce681000)
            libjemalloc.so.2 => /usr/local/nginx-dep/lib/libjemalloc.so.2 (0x00007f68ce3c4000)
            libdl.so.2 => /lib64/libdl.so.2 (0x00007f68ce1c0000)
            libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f68cdfa0000)
            libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f68cdd77000)
            libpcre.so.1 => /usr/local/nginx-dep/lib/libpcre.so.1 (0x00007f68cea77000)
            libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f68cdb3a000)
            libatomic_ops.so.1 => /lib64/libatomic_ops.so.1 (0x00007f68cd937000)
            libc.so.6 => /lib64/libc.so.6 (0x00007f68cd571000)
            libm.so.6 => /lib64/libm.so.6 (0x00007f68cd1ef000)
            libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f68cce5a000)
            libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f68ccc42000)
            /lib64/ld-linux-x86-64.so.2 (0x00007f68ce968000)
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Might as well put it out there for testing only (not production use). If you're using Centmin Mod 130.00beta01 and not using Cloudflare in front of your Centmin Mod server and want to test Centmin Mod Nginx with QUIC/HTTP3 support, you can run cmupdate command and then run centmin.sh menu option 4 and when asked for Nginx version to update/compile, answer = quic. If you use Cloudflare in front of Centmin Mod Nginx server, then there's no point to test Centmin Mod Nginx QUIC/HTTP3 as Cloudflare already provides HTTP/3 support.

    That's it for Nginx QUIC HTTP/3 binary using the word = quic :) Then follow instructions at https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/ for adding the server{} context listen directives for http3 and reuseport (only use once per IP address / port pairing) and add_header Alt-Svc 'h3=":$server_port"; ma=86400'; line. Just remember to remove them if you switch back to regular non-quic Nginx versions.
     
  9. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    11:45 PM
    Not a beta but experimental:)

     
  10. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    5:45 AM
    Mainline
    10.2
    Oh s.... :D
    Just an update, with that Nginx-Quic installed.
    Serving large video files is a lot slower to users, like 2-3x slower compare to the mainline version.
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Got actual metric/numbers of nginx quic (HTTP/3) vs non-quic (HTTP/2)?
     
  13. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    5:45 AM
    Mainline
    10.2
    Ops, I already reverted back to Ubuntu default Nginx package.
    I will do a comparison later when I have time.
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Tested Centmin Mod Nginx with latest HTTP/3 QUIC Nginx code unfortunately seems some tools/tests aren't working like h2load load testing and curl where both h2load 1.54 dev and curl 8.1.1 dev were custom built with same HTTP/3 support via OpenSSL 1.1.1t qucTLS forked library. Both seem to get ERR_DRAINING errors

    Code (Text):
    h2load --npn-list h3 -t1 -c10 -n100 -m32 https://domain.com/
    starting benchmark...
    spawning thread #0: 10 total client(s). 100 total requests
    TLS Protocol: TLSv1.3
    Cipher: TLS_AES_256_GCM_SHA384
    Server Temp Key: X25519 253 bits
    Application protocol: h3
    ngtcp2_conn_read_pkt: ERR_DRAINING
    ngtcp2_conn_read_pkt: ERR_DRAINING
    ngtcp2_conn_read_pkt: ERR_DRAINING
    ngtcp2_conn_read_pkt: ERR_DRAINING
    ngtcp2_conn_read_pkt: ERR_DRAINING
    

    Code (Text):
    curl --http3 -Iv https://domain.com/
    *   Trying 1.2.3.4:443...
    *  CAfile: /etc/ssl/certs/ca-certificates.crt
    *  CApath: none
    *  subjectAltName: host "domain.com" matched cert's "domain.com"
    * Verified certificate just fine
    * Connected to domain.com (1.2.3.4) port 443 (#0)
    * using HTTP/3
    * Using HTTP/3 Stream ID: 0 (easy handle 0x559094f83a20)
    > HEAD / HTTP/3
    > Host: domain.com
    > User-Agent: curl/8.1.1-DEV
    > Accept: */*
    >
    * ngtcp2_conn_writev_stream returned error: ERR_DRAINING
    * ngtcp2_conn_writev_stream returned error: ERR_DRAINING
    * ngtcp2_conn_writev_stream returned error: ERR_DRAINING
    

    using same curl 8.1.1 dev built with HTTP/3 support test against Cloudflare site is ok
    Code (Text):
    curl --http3 -I https://domain.com/
    HTTP/3 200
    date: Sat, 20 May 2023 07:34:37 GMT
    content-type: text/html; charset=utf-8
    last-modified: Sat, 20 May 2023 03:19:22 GMT
    vary: Accept-Encoding
    x-powered-by: centminmod
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    cf-cache-status: DYNAMIC
    server: cloudflare
    cf-ray: 7ca2e5f1783603d9-DFW
    

    No problems with same h2load binary and HTTP/2 tests
    Code (Text):
    h2load --npn-list h2 -t1 -c10 -n100 -m32 https://domain.com/
    starting benchmark...
    spawning thread #0: 10 total client(s). 100 total requests
    TLS Protocol: TLSv1.3
    Cipher: TLS_AES_256_GCM_SHA384
    Server Temp Key: X25519 253 bits
    Application protocol: h2
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 15.83ms, 6318.72 req/s, 39.67MB/s
    requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 642.96KB (658390) total, 18.07KB (18500) headers (space savings 30.19%), 622.66KB (637600) data
                        min         max         mean         sd        +/- sd
    time for request:      699us      8.89ms      3.73ms      2.55ms    63.00%
    time for connect:     1.85ms      5.52ms      3.89ms      1.27ms    60.00%
    time to 1st byte:     6.07ms     14.02ms      9.15ms      2.82ms    70.00%
    req/s           :     657.92     1505.55     1061.14      302.46    60.00%
    
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    strangely works now!
    Code (Text):
    h2load --npn-list h3 -t1 -c10 -n100 -m32 https://domain.com
    starting benchmark...
    spawning thread #0: 10 total client(s). 100 total requests
    TLS Protocol: TLSv1.3
    Cipher: TLS_AES_256_GCM_SHA384
    Server Temp Key: X25519 253 bits
    Application protocol: h3
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 10.12ms, 9881.42 req/s, 62.32MB/s
    requests: 100 total, 100 started, 100 done, 100 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 645.79KB (661290) total, 18.55KB (19000) headers (space savings 32.86%), 626.56KB (641600) data
    UDP datagram: 57 sent, 600 received
                         min         max         mean         sd        +/- sd
    time for request:     3.23ms      5.03ms      3.81ms       582us    63.00%
    time for connect:     2.28ms      5.33ms      4.06ms      1.01ms    70.00%
    time to 1st byte:     5.85ms      8.95ms      7.52ms      1.02ms    70.00%
    req/s           :    1064.30     1463.68     1175.90      123.80    90.00%
    

    Code (Text):
    curl -Iv --http3 https://domain.com
    *   Trying 1.2.3.4:443...
    *  CAfile: /etc/ssl/certs/ca-certificates.crt
    *  CApath: none
    *  subjectAltName: host "domain.com" matched cert's "domain.com"
    * Verified certificate just fine
    * Connected to domain.com (1.2.3.4) port 443 (#0)
    * using HTTP/3
    * Using HTTP/3 Stream ID: 0 (easy handle 0x5565d44aaa20)
    > HEAD / HTTP/3
    > Host: domain.com
    > User-Agent: curl/8.1.1-DEV
    > Accept: */*
    >
    < HTTP/3 200
    HTTP/3 200
    < date: Sun, 21 May 2023 03:28:10 GMT
    date: Sun, 21 May 2023 03:28:10 GMT
    < content-type: text/html; charset=utf-8
    content-type: text/html; charset=utf-8
    < content-length: 6416
    content-length: 6416
    < last-modified: Sat, 20 May 2023 21:18:27 GMT
    last-modified: Sat, 20 May 2023 21:18:27 GMT
    < vary: accept-encoding
    vary: accept-encoding
    < etag: "64693923-1910"
    etag: "64693923-1910"
    < server: nginx centminmod
    server: nginx centminmod
    < x-powered-by: centminmod
    x-powered-by: centminmod
    < alt-svc: h3=":443"; ma=86400
    alt-svc: h3=":443"; ma=86400
    < x-protocol: HTTP/3.0
    x-protocol: HTTP/3.0
    < accept-ranges: bytes
    accept-ranges: bytes
    
    <
    * Connection #0 to host domain.com left intact
    
     
  17. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    11:45 PM
    Nice catch with HTTP/3 on the Nginx Mainline.

    Problem for the near future and later on.
    The OpenSSL team that seems to be stubborn and also finds it hard to listen to the community.

    In which they are now reinventing the HTTP/3 wheel. Partly why, after years, there is still no HTTP/3 support in OpenSSL. They could have just copied the code from quictls. Given their way of thinking, in the future I'm sure they'll also have a different take on the then upcoming, new technology. Not a good development if you ask me. But anyway, we have discussed this many times before. So that's no longer news to many.
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah totally agree, for now Nginx folks support forked OpenSSL quicTLS library along with LibreSSL 3.6 and BoringSSL - all 3 crypto libraries already have laid out routine support in Centmin Mod Nginx in 130.00beta01 at least. Though haven't tested LibreSSL 3.6 and BoringSSL lately - only OpenSSL quicTLS forked library being the focus as it's already the library I use for custom curl and nghttp2/h2load binary build to add HTTP/3 QUIC support to curl and nghttp2/h2load as well :)
     
  19. buik

    buik “The best traveler is one without a camera.”

    2,001
    519
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,651
    Local Time:
    11:45 PM
    Server push on HTTP/3 is also removed.
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    7:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+